one more fix for the problem with trusts that Scott Poore found when
verifying fixes to bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Details are in the commit message.
/ Alexander Bokovoy
From da76899a44af925223816d6e6b03336b457d8e2c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 20 Aug 2015 15:12:42 +0300
Subject: [PATCH 2/2] trusts: format Kerberos principal properly when fetching
For bidirectional trust if we have AD administrator credentials, we
should be using them with Kerberos authentication. If we don't have
AD administrator credentials, we should be using
HTTP/ipa.master@IPA.REALM credentials. This means we should ask
formatting 'creds' object in Kerberos style.
For one-way trust we'll be fetching trust topology as TDO object,
authenticating with pre-created Kerberos credentials cache, so in all
cases we do use Kerberos authentication to talk to Active Directory
domain controllers over cross-forest trust link.
Part of trust refactoring series.
ipalib/plugins/trust.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5d04a2a..4e4e0b1 100644
@@ -1487,7 +1487,12 @@ class trustdomain_del(LDAPDelete):
def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):
trust_name = trust_entry['cn']
- creds = generate_creds(trustinstance, style=CRED_STYLE_SAMBA, **options)
+ # We want to use Kerberos if we have admin credentials even with SMB calls
+ # as eventually use of NTLMSSP will be deprecated for trusted domain
+ # If admin credentials are missing, 'creds' will be None and fetch_domains
+ # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos
+ # as well.
+ creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
server = options.get('realm_server', None)
domains = ipaserver.dcerpc.fetch_domains(myapi,
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code